1. Field of the Invention
The present invention relates to a personal information distribution management system and a personal information distribution management method for managing distributions of personal information, and more particularly, to a personal information distribution management system and a personal information distribution management method which allow personal information to be distributed within a limited range in accordance with a personal information management policy.
The present invention also relates to a personal information service apparatus and a personal information service program for providing personal information. The present invention further relates to a personal information utilization apparatus and a personal information utilization program for utilizing personal information.
2. Description of the Related Art
Generally, in information distribution management systems, information to be distributed and a management policy for the information are encapsulated together to distribute and manage the information in units of capsules.
Here, the “management policy” refers to a policy which describes a disclosure utilization rule related to information, access right control, distribution range and the like, and is created by an owner (for example, a system manager) who manages the information.
For example, JP-A-2000-048076 describes an example of conventional information distribution management systems for managing information in accordance with a management policy.
The information distribution management system described in JP-A-2000-048076, in distributing digital literary works, describes utilization conditions therefor, controls utilization of the digital literary works, controls utilization of secondary literary works, and manages accountings for the digital literary works.
Also, the information distribution management system described in JP-A-2000-048076 comprises an editor, a ticket server, a distribution center, and a viewer.
In the information distribution management system, the viewer restores encrypted literary work data included in an encapsulated literary work and reproduces the recovered literary work data only when a ticket is acquired.
The information distribution management system described in JP-A-2000-048076, which has the foregoing configuration, operates in the following manner.
The editor encapsulates utilization conditions for each utilization method, and utilization secret information resulting from again encrypting a decryption key for encrypted literary data using a ticket key which differs from one utilization method to another, together with the encrypted literary work data.
The ticket server manages the utilization conditions and ticket keys generated by the editor. The ticket server also issues a ticket including a ticket key when a utilization method is permitted for a request for utilization from a user.
The distribution center manages encapsulated literary works, and transmits an appropriate encapsulated literary work in response to a request for utilization from the user.
The viewer acquires the encapsulated literary work from the distribution center, and also acquires a ticket related to the utilization from the ticket server. The viewer can decrypt encrypted literary work data included in the encapsulated literary work for reproduction only when it acquires an appropriate ticket.
JP-A-2003-345931 in turn describes an example of information distribution management systems for distributing and managing personal information.
The information distribution management system described in JP-A-2003-345931 is intended to protect the privacy of personal information providers and improve convenience for users in regard to the utilization of personal information when information related to individuals is managed and distributed.
The information distribution management system described in JP-A-2003-345931 comprises a personal information service apparatus, a personal information utilization apparatus, a utilization environment certifying authority, and a personal information capsule certifying authority.
In the information distribution management system described in JP-A-2003-345931, the personal information service apparatus encapsulates personal information together with disclosure utilization provision determining means to generate a personal information capsule.
The disclosure utilization provision determining means is generated by the personal information service apparatus based on a utilization environment certificate received from the utilization environment certifying authority.
The utilization environment certificate in turn is generated when the personal information utilization apparatus registers a utilization environment in the utilization environment certifying authority.
A personal information capsule generated by the personal information service device is registered in the personal information capsule certifying authority, such that the personal information capsule certifying authority issues a capsule certificate as required.
The personal information utilization apparatus ascertains the validity of a personal information capsule acquired from the personal information service apparatus with a capsule certificate issued by the personal information capsule certifying authority. Then, the personal information utilization apparatus accesses personal information using the disclosure utilization provision determining means included in the personal information capsule.
The disclosure utilization provision determining means compares utilization environment information associated with the personal information utilization apparatus with a utilization environment certificate supplied from the utilization environment certifying authority to permit the personal information utilization apparatus to access personal information.
Massimo Marchiori, “The Platform for Privacy Preference 1.0 (P3P1.0) Specification,” [online], Apr. 16, 2002 [searched on May 30, 2005], on the Internet <URL: http://www.w3.org/TR/2002/REC-P3P-200204 16/>, section 2.2, 2.3, 3.2, 3.3 describes P3P (Platform for Privacy Preferences) planned by W3C (World Wide Web Consortium).
P3P is a standard for describing a privacy policy in order to protect privacy on webs and to exchange information on webs.
P3P is intended to provide services based on agreements between users and service providers on webs such that personal information on users is utilized only for purposes of utilization intended by the users.
In this event, a web site correctly discloses criteria for utilizing personal information (privacy policy), such that a user reads the privacy policy disclosed by the web site to determine whether or not the user should send personal information.
FIG. 1 is an explanatory diagram showing a P3P-based personal information exchange scheme. In the following, a form of negotiations between a P3P-based web browser owned by a user and a web server will be described with reference to FIG. 1.
The user uses a user terminal which has previously installed therein a browser that supports P3P to enable use of the browser. The web server, on the other hand, also holds a P3P policy which supports P3P and has previously described a policy for the type of personal information to be collected, to purpose and extent of utilizing the personal information, and the like. The P3P policy is stored in a location which can be accessed by the web browser on the user terminal.
Also, together with the P3P policy, the web server is provided with a policy reference which describes a correspondence relationship between URI's (Uniform Resource Identifier) of web pages and URI's of P3P policies.
First, the user accesses a web page of the web server using the user terminal. The browser on the user terminal in turn acquires a policy reference corresponding to the web page from the web server (step 1 shown in FIG. 1).
The browser further acquires the P3P policy from the web server (step 2). The browser compares the acquired P3P policy with the user's preferences to confirm whether or not there is a problem in the P3P policy (step 3). When there is no problem, the browser sends personal information to the web server, and accesses the web page (step 4).
On the other hand, if the P3P policy does not comply with the user's preferences, the browser can alert the user when user is allowed to access the web site.
In the conventional information distribution management systems described in JP-A-2000-048076 and JP-A-2003-345931, either the generation apparatus for generating information or the utilization apparatus for utilizing information can present predetermined contract terms for distributing information, and distribute information when the other party agrees on the contents of the contract terms.
However, the information generation apparatus and utilization apparatus cannot mutually present their respective policies and contract terms related to information management and transmission (send), and distribute personal information under agreements based on the mutual policies and contract terms.
Neither do the conventional information distribution management systems described in JP-A-2000-048076 and JP-A-2003-345931 do not either disclose means for controlling the utilization of personal information based on contract terms.
Accordingly, the conventional information distribution management systems have a first problem that apparatuses involved in the distribution of personal information cannot distribute, manage, and utilize personal information taking into consideration of contract information which defines information management, purpose of utilizing information, and distribution range of each apparatus.
In other words, in the conventional information distribution management system, the generation apparatus simply confirms the purpose of utilization and distribution range presented by the utilization apparatus, to which personal information is sent, in regard to the personal information to be sent, and the generation apparatus transmits (sends) the personal information to the utilization apparatus without contract terms being shared by the utilization apparatus and generation apparatus.
Thus, the utilization apparatus, which has received the personal information, cannot confirm whether or not the generation apparatus had appropriately processed the policy presented thereby, resulting in indefinite responsibility for the management of personal information between the generation apparatus and utilization apparatus.
Also, the conventional information distribution management systems described in JP-A-2000-048076 and JP-A-2003-345931 do not have means for confirming contract terms made with the personal information generation apparatus and for holding the result of the confirmation, when the personal information utilizing means in the utilization apparatus extracts personal information from personal information holding means for utilization.
This makes indefinite where responsibility lies in regard to compliance with the contract terms between the personal information utilizing means and the storing means.
Since personal information deeply relates to individuals' privacy, it is desirable to exercise great care in selecting information itself to be distributed and in confirming the purpose of utilizing the information.
It is also desirable to previously come to an agreement between the personal information generation apparatus and the personal information utilization apparatus or between utilization apparatuses in regard to elements of personal information to be communicated therebetween, purpose of utilizing the personal information, range of distribution, and the like, such that the respective apparatuses can appropriately distribute, manage, and utilize personal information with responsibility.
The conventional information distribution management systems described in JP-A-2000-048076 and JP-A-2003-345931 each generate a capsule which includes only an information management policy of the information generation apparatus when information to be distributed is encapsulated.
Accordingly, the information management policy on the generation apparatus side is only taken into consideration, whereas no consideration is given to the policy or the contract terms related to information management and transmission on the information capsule utilization apparatus side.
The conventional information distribution management systems therefore have a second problem in which the apparatus which utilizes and manages personal information cannot manage the distribution of personal information in consideration of policies related to its own information management and transmission, which defines the purpose of utilizing the information, and the like.
Here, the “policies related to information management and transmission” refer to those policies which show rules related to distribution of information, applied by each apparatus only within the apparatus itself.
The personal information utilization apparatus manages personal information based on its own information management policy and contract terms.
Therefore, the personal information utilization apparatus, as long as it is responsible for management, should define a transmission policy by itself, and comply with the defined policy while taking into consideration the contract terms presented by the personal information generation apparatus. For example, even if the personal information generation apparatus widely admits distributions of its personal information in the contract terms, the utilization apparatus could leak individuals' privacies and be a perpetrator by distributing the personal information even within a range admitted by the generation apparatus.
Accordingly, the information utilization apparatus itself must properly manage personal information so as to avoid leakage of individuals' privacies. It is therefore desirable that the utilization apparatus appropriately limits the distribution of personal information based on a transmission policy determined thereby, in addition to the contract terms.
Also, in the information distribution management system described in JP-A-2000-048076, a copy right holder for a digital literary work cannot always manage a policy under which the digital literary work is managed.
It is therefore desirable, when personal information is handled, that not only the personal information generation apparatus has a management policy but also that the personal information utilization apparatus has its own management policy to manage personal information taking into consideration of the management policy of the utilization apparatus as well.
As appreciated from the foregoing, an information distribution management system for distributing information only by taking into consideration of a management policy determined by an information generation apparatus cannot be applied, as it is, to management of distributions of personal information.
Also, in the information distribution management system described in JP-A-2003-345931, the personal information generation apparatus manages information taking into consideration distribution within a predetermined common utilization range based on the management policy of the information generation apparatus included in a personal information capsule.
In other words, the system can just manage information only with a supposed management policy of the information generation apparatus.
Also, as described above, in conventional information distribution management systems, the information generation apparatus and utilization apparatus cannot distribute personal information under agreements based on their mutual policies and contract terms.
Consequently, conventional information distribution management systems have a third problem in which the distribution of personal information cannot be managed taking into consideration policies and contract information related to information management and transmission of each apparatus by reusing existing personal information.
Also, as described above, in the conventional information distribution management systems, the information generation apparatus and utilization apparatus cannot distribute personal information under agreements based on mutual policies and contract terms.
Further, the conventional information distribution management systems only consider the information management policy associated with the generation apparatus, but do not consider the policy and contract terms related to information management and transmission associated with the information capsule utilization apparatus.
Consequently, the conventional information distribution management systems have a fourth problem in which when the personal information generation apparatus or utilization apparatus must transmit personal information managed thereby for a reason other than a request for utilization from a utilization apparatus other than the apparatus itself, the systems cannot manage distribution of personal information by taking into consideration of the policies and contract information related to information management and transmission of each device.
Also, the conventional information distribution management systems do not disclose means for recording whether or not personal information has been appropriately utilized or means for referencing the record.
Consequently, the conventional information distribution management systems have a fifth problem in which an individual himself, who provides personal information, cannot confirm whether or not a utilization apparatus appropriately utilizes the personal information.